Removing 1 modular exponentiation
Watson Ladd
watsonbladd at gmail.com
Mon Feb 19 21:48:51 UTC 2007
> that's not really a problem. all computations are done in the group
> ZZ_p. 1/k really means the inverse of k modulo the order of g in ZZ_p.
> So b/k does not have to be an integer.
>
> putting the security of the scheme aside, one question that comes to
> mind is how Alice (the OP) is going to get an authentic copy of Ricky's
> DH public key, y. One way to do this is to include it in the router
> descriptors. But then we have to ask if it's worth adding a new public
> key for each OR to the Tor PKI to just save one exponentiation during
> session key agreement.
>
> -James
>
We already distribute different keys for the current protocol. But the
one I proposed is insecure so we might as well forget about it. Schnorr
signatures are secure and are intended for this purpose, but we can only
use them after 2008.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070219/7cac4f1a/attachment.pgp>
More information about the tor-talk
mailing list